Announcements

Hello APS'ters
It's been more than 10 years APS staff has been keeping this place alive and kickin ass from the rest!!!
And now is the time for us to ask help from all of you who are enjoying this place. APS are looking for generous members who are willing to show some support and love to raise funds for our VPS hosting and domain name fees. We would like to make the most contributions as much as we can and used all of it for " VPS hosting and Domain name fees" ONLY (no personal interest/expenses)
We want to keep this community alive and that wouldn't be possible without your help. We won't be promising any VIP access or whatsoever for monetary contributions.
But....... we can assure you that your contributions big or small can keep this place alive and that's the only thing we can promise you.
If you are feeling generous today feel free to send your contributions to our PAYPAL account. (ANY AMOUNT ARE WELCOME)
PAYPAL:
allpinoystuff2017@yahoo.com
If you have any questions comment on this thread
or
Feel free to send me or any Admins/Supreme Mods a PM.
If you have contributed or will be contributing please let us know so we can directly say "thank you" to you.
Thanks in advance and more power to APS!!!

AIM

MSN

Website URL

ICQ

Yahoo

Jabber

Skype

Location:

Interests

This comic is saying that the password in the top frames "Tr0ub4dor&3" is easier for password cracking software to guess because it has less entropy than "correcthorsebatterystaple" and also more difficult for a human to remember, leading to insecure practices like writing the password down on a post-it attached to the monitor.
In simple cases the entropy of a password is calculated as a^b where a is the number of allowed symbols and b is its length. A dictionary word (however long) has an entropy of around 65000, i.e. 16 bits. A truly random string of length 11 (not like "Tr0ub4dor&3", but more like "J4I/tyJ&Acy") has 94^11 = 72.1 bits. However the comic shows that "Tr0ub4dor&3" has only 28 bits of entropy. Another way of selecting a password is to have 2048 "symbols" (common words) and select only 4 of those symbols. 2048^4 = 44 bits, much better than 28. Using such symbols was again visited in one of the tips in 1820: Security Advice.
It is absolutely true that people make passwords hard to remember because they think they are "safer", and it is certainly true that length, all other things being equal, tends to make for very strong passwords and this can confirmed by using rumkin.com's password strength checker. Even if the individual characters are all limited to [a-z], the exponent implied in "we added another lowercase character, so multiply by 26 again" tends to dominate the results.
In addition to being easier to remember, long strings of lowercase characters are also easier to type on smartphones and soft keyboards.
xkcd's password generation scheme requires the user to have a list of 2048 common words (log2(2048) = 11). For any attack we must assume that the attacker knows our password generation algorithm, but not the exact password. In this case the attacker knows the 2048 words, and knows that we selected 4 words, but not which words. The number of combinations of 4 words from this list of words is (211)4 = 244 bits. For comparison, the entropy offered by Diceware's 7776 word list is 13 bits per word. If the attacker doesn't know the algorithm used, and only knows that lowercase letters are selected, the "common words" password would take even longer to crack than depicted. 25 random lowercase characters would have 117 bits of entropy, vs 44 bits for the common words list.
Example
Below there is a detailed example which shows how different rules of complexity work to generate a password with supposed 44 bits of entropy. The examples of expected passwords were generated in random.org.(*)
If n is the number of symbols and L is the length of the password, then L = 44 / log2(n).
a = lowercase letters
A = uppercase letters
9 = digits
& = the 32 special characters in an American keyboard; Randall assumes only the 16 most common characters are used in practice (4 bits)
(*) The use of random.org explains why jAwwBYne has two consecutive w's, why Re-:aRo has two R's, why _@~"#^.2 has no letters, why ewpltiayq has no numbers, why "constant yield" is part of a password, etc. A human would have attempted at passwords that looked random.
Source:
http://www.explainxkcd.com/wiki/index.php?title=936#Explanation